In general, determine:
Here's another guide:
First, the team members must review business or project objectives, whether the goal is a product development project or an initiative to develop third-party business partnerships. The risk management process must align with current and future goals by starting with business objectives.
The second step is to review digital assets such as systems, networks, software, devices, vendors, and data. Cataloging these assets allows the key stakeholders to brainstorm and identify risks corresponding to each.
A risk can be a positive or negative condition with financial, operational, or reputational consequences. Each identified risk is recorded in a risk register.
After risk identification, the risk management team assesses the known risks. For example, you might find that positive risks, such as early product delivery, lead to adverse risks, such as a customer’s inability to meet a payment schedule. So, again, the project team will brainstorm to analyze potential impacts.
For each risk identified and assessed, the project team must look at the likelihood of the risk and then estimate its potential impact. This activity will help the team prioritize the risk events requiring the most attention and robust mitigation strategies.
A risk assessment matrix is often used to visualize the potential impacts. Measure the likelihood from low to high on one axis and the severity from low to high on the other axis. Risk events in the upper right quadrant should be prioritized first because they have a high probability and the worst severity.
Knowing an organization’s risk tolerance aids in its risk management plan and influences how resources are invested in managing risks. For example, if an organization’s risk tolerance is low, it will invest more heavily in information security controls to protect sensitive and confidential data.
The project team will design the risk mitigation strategies for the risks it decides to transfer, mitigate, or avoid. Therefore, this section should include mitigation actions, dependencies, risk response, and contingency plans.
Risk monitoring activities should also be designed in this phase so the project team can determine if prevention and mitigation actions are working as expected.